Description
Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)
A custom CHM file containing embedded payloads could be delivered to a victim then triggered by User Execution. CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)
Platforms
Mitigations (2)
Restrict Web-Based ContentM1021
Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns, such as CHM files
Execution PreventionM1038
Consider using application control to prevent execution of hh.exe if it is not required for a given system or network to prevent potential misuse by adversaries.
Threat Groups (5)
| ID | Group | Context |
|---|---|---|
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used a CHM payload to load and execute another malicious file once delivered to a victim.(Citation... |
| G0070 | Dark Caracal | [Dark Caracal](https://attack.mitre.org/groups/G0070) leveraged a compiled HTML file that contained a command to download and run an executable.(Citat... |
| G0091 | Silence | [Silence](https://attack.mitre.org/groups/G0091) has weaponized CHM files in their phishing campaigns.(Citation: Cyber Forensicator Silence Jan 2019)(... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) used compiled HTML (.chm) files for targeting.(Citation: FireEye APT41 Aug 2019) |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has used CHM files to move concealed payloads.(Citation: Kaspersky Lazarus Under The Hood APR 2017) |
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S0373 | Astaroth | Malware | [Astaroth](https://attack.mitre.org/software/S0373) uses ActiveX objects for file execution and manipulation. (Citation: Cofense Astaroth Sept 2018) |
References
- Microsoft. (2017, August 8). CVE-2017-8625 - Internet Explorer Security Feature Bypass Vulnerability. Retrieved October 3, 2018.
- Microsoft. (2018, May 30). Microsoft HTML Help 1.4. Retrieved October 3, 2018.
- Microsoft. (n.d.). About the HTML Help Executable Program. Retrieved October 3, 2018.
- Microsoft. (n.d.). HTML Help ActiveX Control Overview. Retrieved October 3, 2018.
- Moe, O. (2017, August 13). Bypassing Device guard UMCI using CHM – CVE-2017-8625. Retrieved October 3, 2018.
Frequently Asked Questions
What is T1218.001 (Compiled HTML File)?
T1218.001 is a MITRE ATT&CK technique named 'Compiled HTML File'. It belongs to the Stealth tactic(s). Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of vario...
How can T1218.001 be detected?
Detection of T1218.001 (Compiled HTML File) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1218.001?
There are 2 documented mitigations for T1218.001. Key mitigations include: Restrict Web-Based Content, Execution Prevention.
Which threat groups use T1218.001?
Known threat groups using T1218.001 include: OilRig, Dark Caracal, Silence, APT41, APT38.